Like Firesheep to the Slaughter

Mandatory encryption is necessary to stop wireless snooping

Chances are you’ve heard of Firesheep, the web plug-in that lets anybody access other people’s Facebook and Twitter accounts over the same wireless network. The application is dangerous but eye-opening, and it may redefine the Internet as we know it.

Don’t be put off by its silly name, which is a bad pun on the offbeat title of the browser it enhances, Firefox. If anything, the names of the two programs should be reversed, as it is the Firesheep users who prey upon the great, defenseless herds of the Internet. It may soon reach the point, however, when the legions of lazy hackers outnumber their victims. The software was downloaded more than 104,000 times in the first 24 hours, and it has grown to at least 700,000 this week.

Concern over Firesheep has quickly spread across Harvard in the past few weeks, including a community advisory email from FAS-IT and a demonstration in CS 50 showing how easy it is to access someone’s Facebook account. The plug-in reminds us how often we simply trust that communication is confidential, when the opposite is typically true. Most websites perform the obvious step of encrypting login information with SSL, but that is where security ends. Encryption is expensive, so many websites simply use cookies to keep track of the active session with the user after they have logged in. Since all data over an open wireless network is broadcast freely to everyone within range, other users can intercept these cookies once the session is in progress and use them to do anything that the initial user is able to do.

Hijacking cookies after a session has started, called “sidejacking” in geek parlance, has always been easy for those in the know. Firesheep merely democratizes the process, making it available to spiteful exes, mischievous pre-teens, and disgruntled coworkers everywhere.

Given that Firesheep is most effective at targeting social websites, it can’t do much damage in coffee shops or Internet cafes, since people can only spy on the random strangers who happen to be there. The plug-in is far more devastating in places where everybody knows everybody else, such as college classrooms and libraries. In other words, we have the most to lose.


Though the legality of sidejacking is hardly clear, the plug-in has spurred some grandiose ethical debates on the nature of evil. Is it wrong to use Firesheep just to see what it’s like? Are Firesheep users born evil, or do they have evilness thrust upon them? Or, more common among Harvard students, if Firesheep can’t access Gmail, then what’s the big deal?

Firesheep’s creator Eric Butler claims that he released the client merely to expose the security problems with unencrypted data sent over a wireless network. I believe him about as much as I believe the Joker when he tells Batman that he’s just conducting a social experiment.

Although Firesheep has yet to lead to major changes at targeted websites—Twitter has said that switching to SSL won’t happen for a few months—it has led to escalation, as other hackers attempt to fight Firesheep with fire. Butler was responsible enough to post the source code to Firesheep on his website, and understanding the nitty-gritty details about how it operates has allowed rival plug-ins to turn Firesheep’s own algorithms against it. However, such countermeasures, like the plug-in Blacksheep, can only detect Firesheep activity, not stop it, and they do nothing to prevent other sidejacking attacks.

In providing average citizens with ammunition, Butler has contributed to the increasing militarization of the Internet. Regardless of his motives, releasing Firesheep has generated the same mixture of fear, confusion, and general hilarity associated with the Anonymous movement and its various hacker collectives, like 4chan. These hacker groups have been attacking a range of targets, from white supremacist Hal Turner to teen sensation Justin D. Bieber, for most of the decade, and while their victims tend to be people most Harvard students love to hate, innocents can get caught in the crossfire. For instance, Apple’s stock price dropped significantly in 2008 when 4chan pranksters posted a fake entry on CNN’s iReport that Steven P. Jobs had suffered a heart attack.

The way to respond to such juvenile bomb-throwers is not to stoop to their level, either through countermeasures like Blacksheep or the CS 50-endorsed HTTPS Everywhere, nor is it to wait patiently until websites institute SSL everywhere. Instead, concerned citizens should push their governments to require mandatory encryption for any websites that traffic in sensitive information.

Firehseep, though crude in its methods, does an admirable job of revealing just how insecure most of the Internet really is. Trust permeates the web to its core, which may have been fine when it was a tiny academic playground, but it is entirely unacceptable today. Before the Internet further devolves into a battlefield for rival hackers, some adults should step in to clean up the mess.

Adam R. Gold ’11, a Crimson editorial writer, is a physics concentrator in Adams House. His column appears on alternate Fridays.